CN1429360A - Cryptographic method and device - Google Patents

Cryptographic method and device Download PDF

Info

Publication number
CN1429360A
CN1429360A CN01809690.5A CN01809690A CN1429360A CN 1429360 A CN1429360 A CN 1429360A CN 01809690 A CN01809690 A CN 01809690A CN 1429360 A CN1429360 A CN 1429360A
Authority
CN
China
Prior art keywords
mod
opt
kgv
mould
exponentiation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN01809690.5A
Other languages
Chinese (zh)
Inventor
马丁·塞森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Giesecke and Devrient GmbH
Original Assignee
Giesecke and Devrient GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Giesecke and Devrient GmbH filed Critical Giesecke and Devrient GmbH
Publication of CN1429360A publication Critical patent/CN1429360A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/723Modular exponentiation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7219Countermeasures against side channel or fault attacks
    • G06F2207/7271Fault verification, e.g. comparing two values which should be the same, unless a computational fault occurred

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Complex Calculations (AREA)
  • Error Detection And Correction (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Bidet-Like Cleaning Device And Other Flush Toilet Accessories (AREA)
  • Devices For Executing Special Programs (AREA)

Abstract

The invention relates to a cryptographic method comprising at least one arithmetic step which contains a modular exponentiation E, according to the equation E=x<d>(mod p.q), comprising a first prime factor p, a second prime factor q, an exponent d and a number x. According to said method, the modular exponentiation E is calculated according to the Chinese Remainder Theorem.

Description

Method of encrypting and device
Technical field
The present invention relates to a kind of method of encrypting and device.
Background technology
Because the ever-increasing importance of ecommerce, to encrypt and the encryption method of feature scheme (signaturescheme) form becomes widely popular.These methods realize by means of electronic installation that generally described electronic installation can comprise for example programmable universal microcontroller, or special-purpose electronic circuit, for example electronic circuit of ASIC form.A kind of interested especially encrypted form of encryption device is a smart card, because if design properly technically, it can protect key data to prevent the visit that is not allowed to.Make great efforts to be devoted to improve the execution speed of encryption method always, and protect them to exempt from various possible attack options.The present invention is particularly useful for being used in combination with smart card, but is not limited to this.The present invention can implement with various encryption devices combinations.
In many known encryption methods, need carry out the exponentiation (modularexponentiation) of mould according to following formula:
E=x d(mod?N)=x d(mod?p.q) (1)
Wherein p and q are prime number (prime number).A kind of encryption method of particular importance of the exponentiation step that comprises mould is the RSA method, this method for example can be by Alfred J.MeneZes, Paul C.vanOorschot and Scott A.Vanstone, " Handbook of Applide Cryptography " BocaRaton:CRC Press, 1997, pages 285-291 learns.But, the use of the exponentiation of mould is not limited to the RSA method, also comprises for example from Menezes et al., ibid., the Rabin feature that pages 438-442 learns, and from Menezes et al.ibid., the Fiat-Shamir identifying schemes that pages 408-410 learns.
The difficulty that the number N factors is resolved into its prime number factor (prime factor) p and q by formula (1) is often depended in the security of encryption method that comprises the exponentiation of mould.This problem has only big value N is just had enough complicacy, therefore, on the one hand, should select big as far as possible several N.On the other hand, do to increase monotonously by means of the calculating two of calculating described value according to the exponentiation of the mould of formula (1), therefore, it seems from the viewpoint of practical application along with the increase of the quantity of N, although N gets big value, wish being limited in acceptable value required computing time simultaneously.
Known be called as in order to use " Chinese remainder theorem " comes 4 times to improve computing velocity, and this theorem for example makes can have bigger value N in the computing time that equates.Directly replace formula (1), carry out conversion according to following formula:
E=x d(mod?p.q)=aE 1+bE 2(mod?N) (2)
Wherein
E 1=x d(mod?p) (3)
E 2=x d(mod?q) (4)
A result who uses Chinese remainder theorem is, the exponentiation of described mould is no longer calculated mould N, promptly the number that no longer decomposes with this factor of hiding the prime number of himself to mould (modulo) calculates, but in this computation rule, presuppose first step calculating mould p and second step calculating mould q continuously, the i.e. understanding n=p.q that prime factor is decomposed, so that keep secret, and cause total computation process is resolved into first calculation procedure (3), it relates generally to the first prime number factor, with second calculation procedure (4), it relates generally to the second prime number factor.Its advantage is, must be defined in index d in the formula (1) to mould φ (p.q), and must be only mould φ (p) or φ (q) be defined in index in the formula (2), and wherein φ represents Euler's function.
Interestedly be, a kind of attack (attack) scheme to the encryption method of the exponentiation of this use mould has become known recently, by described scheme, as long as concrete execution utilization is arrived the Chinese remainder theorem shown in (4) according to formula (2), by means of the suitable manual command in the undisturbed sequence of calculation, the information of decomposing about the prime factor factor of N can be recovered from the defective result of the exponentiation of the mould upset.Attempting of this being called as " Belleek ware attack " for example at Dan Boneh, RichardA.DeMillo and Richard J.Lipton: " On the importance of checkingcryptographic protocols for faults; " Advances inCryptology-EUROCRYPT, 97, Lecture Notes in Cpmputer Science1233, Berlin:Springer has described in 1997.A kind of encryption device is handled by physics instruction, for example increases clock speed, operating voltage or irradiation, makes when carrying out the exponentiation of mould according to Chinese remainder theorem with certain it is not too big probability generation miscount.If only miscount takes place among two in formula (2), then two prime number factor p and q can be by the exponentiation reconstruct as a result of mistake.
The result who is drawn by the described weakness of utilizing the exponentiation of the mould that Chinese remainder theorem carries out is, before it is further processed, especially before for example exporting, at first check calculating operation result's correctness with the form of feature (signature) with certain form.
Being worth little countermeasure for " Belleek ware attack " a kind of is to realize this correctness inspection by means of at least once repeating described calculating operation.Under the situation of stochastic calculation mistake, can suppose that the result of first calculating operation departs from the result who checks calculating operation.The major defect of this method is, calculates by once checking, be doubled computing time.
File WO-A-98/52319 has disclosed a kind of method particularly, and " Belleek ware is attacked to be used to protect the calculating operation of the exponentiation of the mould of carrying out according to Chinese remainder theorem to prevent.For example from [0,2 k-1] selects the integer j of a secret in the scope, wherein 16≤k≤32.Calculate following formula then:
v 1=x(mod?j.q) (5)
V 2=x(mod?j.q) (6)
d 1=d(mod(j.p)) (7)
d 2=d(mod(j.p)) (8)
w 1=V 1 d1(mod?j.q) (9)
w 2=v 1 d2(mod?j.q) (10)
Check whether its maintenance then:
w 1=w 2(mod?j) (11)
If formula (11) can be proved, then calculate following formula with known method:
y 1=w 1(mod?p) (12)
y 2=w 2(mod?q) (13)
Just can determine by means of Chinese remainder theorem thus
E=x d(mod?N) (14)
This known method is that with the simple advantage of checking that calculating operation is compared be greatly diminished required additional computing time.
In this method, two prime number p and q must multiply by same factor d.File WO-A1-98/52319 has disclosed second method, and it allows prime number p to multiply by different factor r and s with q.But, calculate for checking, two other exponentiations are possible.
Summary of the invention
Problem of the present invention is to provide a kind of encryption method and device, and described method and apparatus is saved calculating operation or computing time, keeps simultaneously or the increase security.
This problem has solved by having according to a kind of encryption method of claim 1 or 2 described features and by a kind of encryption device with claim 13 or 14 described features.
Dependent claims 3 to 12 and 15 to 24 some favourable development of expression.
Embodiment
As mentioned above, if the modulus in the exponentiation of mould has many preposition (leading) scale-of-two moduluses, making different factor r and s represent certain advantage wherein, is favourable for some arithmetic and logic unit then.In addition, have the arithmetic and logic unit that some are optimized for the exponentiation of mould, but cause considerable overhead to the data transfer of the arithmetic and logic unit of the optimization that only is useful on exponentiation from CPU (central processing unit).The present invention compares with the above-mentioned method of utilizing different factor r and s, has saved exponentiation one time.
According to the present invention, for example from scope [0,2 k-1] select 2 integer r and s in the scope, wherein 16≤k≤32 make that (kgV (r, s)) relatively is a prime number to d, and wherein (r s) is the lowest common multiple of r and s to kgV, and s and φ () are Euler's functions for φ.At this moment, calculate following formula:
x 1=x(mod?p.r) (15)
x 2=x(mod?q.s) (16)
d_1=d(mod(p.r)) (15)
d_2=d(mod(q.s)) (16)
z 1=x 1 d_1(mod?p.r) (15)
z 2=x 2 d_2(mod?q.s) (16)
Now, keep z 1=x 1 d(mod p.r), z 2=x 2 d(mod q.s).According to Chinese remainder theorem, utilize following formula easily to calculate a number z by z1 and z2:
z=z 1(mod?p.r);z=z 2(mod?q.s);z=x d(mod?p.q.kgV(r.s)) (17)
According to the present invention, number r and s must select like this, make that (kgV (r, s)) relatively is a prime number to d for φ.In these cases, can use the euler algorithm of expansion, thereby utilize following formula easily to obtain a natural number e:
e.d=1(mod(kgV(r.s)) (18)
By means of Z and e, calculate number C according to following formula:
C=z e(mod?kgV(r.s)) (19)
According to theorem of Euler, have:
C=z d.e=x(mod?kgV(r.s)) (20)
(r s), can determine mistake with high probability by comparing two value C and x mould kg.If determine C x (mod kgV (r.s)), just then the result of the exponentiation of mould be considered to mistake and be dropped.
In RSA method (as in Lapie's feature scheme), carry out the exponentiation of mould, so that produce numerical characteristic or be decrypted, make mould p.q and index d only depend on private key with this.Consequently, number d, e, r and s can be calculated once when described private key integration, and are stored, for using again.
In remodeling of the present invention, for example [0,2 k-1] selects 2 integer r and s, wherein 16≤k≤32 in the scope.Under the situation of binary arithmetic and logic unit, suggestion number r and s are odd numbers.In addition, at the interval [1 ..., r-1] and [1 ..., s-1] two fixing several b1 and b2 of interior selection, it does not rely on x, and is prime number with respect to r and s respectively.If r and s relatively are not prime numbers, then b1 and b2 must satisfy additional condition b1=b2 (mod ggT (r, s)), wherein (r s) represents the highest common factor of r and s to ggT.
According to Chinese remainder theorem, at first utilize following formula to calculate number x1:
X 1=x(mod?p).x 1=b 1(mod?r) (21)
Calculate x2 according to following formula equally:
X 2=x(mod?q).x 2=b 2(mod?s) (22)
Then, calculate following formula:
d_1=d(mod(p)) (23)
d_2=d(mod(q)) (24)
z 1=x 1 d_1mod(p.r) (25)
z 1=x 1 d_1mod(q.s) (26)
C 1=b 2 d_1(mod.r) (27)
C 2=b 2 d_2(mod.s) (28)
In order to save computing time, carrying out respectively with φ (r) and φ (s) before the exponentiation to mould, can reduction-type (27) and (28) in index d_1 and d_2.
Have from formula (23) and (25):
z 1=x d(mod?p) (29)
Have from (24) and (26):
z 2=x d(mod?q) (30)
According to Chinese remainder theorem, can easily calculate number z by z1 and z2:
z=z 1(mod?p.r);z=z 2(mod?q.s); (31)
Even r and s relatively are not prime numbers, described several z also exist, and this is because z 1=C 1=b 1 D_1=b 2 D_2=C 2=z 2(mod ggAT (r, s)).Because p and q relatively are prime numbers, have by formula (29), (30) and (31):
z=x d(mod?p.q) (32)
Therefore, can easily determine several z of being asked by the value of aforementioned calculation.
Have by formula (21), (25) and (27):
z 1=C 1(mod?r) (33)
Have by formula (22), (26) and (28):
z 2=C 2(mod?s) (34)
By inspection condition (33) and (34), can determine mistake with high probability.If in condition (33) or (34) is destroyed, then the result of the exponentiation of mould is considered to mistake, thereby is dropped.
According to the described method of the claim 8 of file WO-A1-98/52319, number b1 and b2 do not rely on the truth of a matter x in the remodeling of wherein said method.When using RSA method or Lapie's characterization method, private key generally is concentrated in the encryption device for example in the smart card that once was used several times.In the exponentiation of the mould of using in these methods, index d and modulus p.q are the fixed elements of private key.Thereby, must only calculate once when value C1 and C2 carry out the key integration in encryption device, and can be stored in the described device then.Compare with the described method of file WO-A1-98/52319, store the feasible exponentiation operator of saving two apotypes of these values.
In common embodiment, a kind of encryption device with additional hardware of the algorithm that is used to accelerate mould, smart card for example, contain addition and multiplication unit fast, the method of simultaneously common standard must be carried out the division by a long number required in the reduction of mould, for example by Donald Knuth: " The Art of Computer Programming, " Volume 2:SeminumericalAlgorithms, 2 NdEd., Addison-Wesley, 1981 learn.One of some known method that is used to simplify divide operations is to take advantage of modulus p by number r before exponentiation, makes the binary representation of product p.r comprise number as much as possible, for example sees Menezes et al., ibid., pages 598-599.Remove than removing much simple by a how leading as far as possible number by general number.
According to the present invention, select multiplier r, make that d relatively is a prime number for φ (r).In above-mentioned remodeling of the present invention, do not need this relative prime number.For each modulus p, has the multiplier r of the best that a particular technology that depends on division realizes OptIf the value of the selection of r is slightly less than the value of optimization, then product p.r still contains enough leading number, thereby makes division to carry out simply.By high probability, number d is worth φ (r at least one Opt-i) relatively be prime number, I=1 wherein ..., k, wherein k is a little number that depends on enforcement.
If not this situation, then make r by 2 i.r replace wherein 2 IAccording to implementing is one 2 suitable power.
Thereby, can use same replacement for second prime number factor q.Because can select multiplier r (for p), and s (for q) is independently of one another, can select equally accordingly for multiplier s.

Claims (24)

1. method of encrypting,
A) has at least one calculation procedure E=x of the exponentiation E that comprises mould d(mod p.q) wherein has the first prime number factor p, the second prime number factor q, and index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, select two natural number r and s, condition is, d for φ (kgV (r, s)) relatively is a prime number, and carries out following calculation procedure with this:
x 1=x(mod?p.r)
x 2=x(mod?q.s)
d_1=d(modφ(p.r))
d_2=d(modφ(q.s))
z 1=x 1 d_1(mod?p.r)
z 2=x 2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
C) calculate number z:z=z according to Chinese remainder theorem by z1 and z2 then 1(mod p.r); Z=z 2(mod q.s);
D) by reduction Z mould p.q, calculate the E as a result of exponentiation,
E) check several z of the previous calculating of inspection in the step thereby the miscount of check result E at one,
F) described inspection step comprises following calculating operation:
F1) by means of the euler algorithm of expansion, calculate the possible natural number e of minimum with characteristic e.d=1,
F2) calculated value C=z e(mod kgV (r.s)),
F3) fiducial value x and C mould kgV (r, s), if with this x ≠ C (mod (kgV (r, s)), the then result of the exponentiation E of mould being dropped as mistake.
2. encryption method
A) has at least one calculation procedure E=x of the exponentiation E that comprises mould d(mod p.q) wherein has the first prime number factor p, the second prime number factor q, and index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, at interval [1 ..., r-1] and [1 ..., s-1] in select two natural number r and s respectively, and two number b1 and b2, described b 1And b 2For r and s relatively is prime number, and makes b1 and the b2 b that satisfies condition with this 1=b 2(mod ggT (and r, s), wherein ggT (r s) represents the highest common factor of r and s,
C) utilize two number b1 and b2 to calculate the x that satisfies following formula according to Chinese remainder theorem 1, x 2:
x 1=x(mod?p),x 1=b 1(mod?r)
x 2=x(mod?q),x 2=b 2(mod?s)
And carry out following calculation procedure:
d_1=d(modφ(p))
d_2=d(modφ(q))
z 1=x 1 d_1(mod?p.r)
z 2=x 2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
D) then according to Chinese remainder theorem by z 1And z 2Calculate number z:z=z 1(mod p.r); Z=z 2(modq.s);
E) by reduction z mould p.q, calculate the E as a result of exponentiation,
F) check the miscount of checking the previous several z that calculate (thereby automatically also be E) as a result in the step at one,
G) described inspection step comprises following calculating operation:
G1) calculate number
C 1=b 1 d_1(mod.r)
C 2=b 1 d_2(mod.s)
D_1 wherein, d_2 are reduced respectively before the exponentiation to mould with φ (r) and φ (s) carrying out,
G2) compare z 1And C 1Mould r and z 2And C 2Mould s is if keep C with this 1≠ z 1Mod r, perhaps C 2≠ z 2Mod s, the then result of the exponentiation E of mould being dropped as mistake.
3. encryption method as claimed in claim 2 is characterized in that, described several r and s are odd numbers.
4. as any one the described encryption method among the claim 1-3, it is characterized in that several r wherein and s are [0,2 k-1] selects in the scope, wherein 16≤k≤32.
5. as any one the described encryption method among the claim 1-4, it is characterized in that at least one the such selection among wherein said several r and the s makes the binary representation of product p.r or q.s contain preposition number as much as possible (leading ones).
6. as any one the described encryption method among the claim 1-5, it is characterized in that wherein said two number r and s select like this, make the binary representation of product p.r or q.s contain preposition number as much as possible.
7. as the described encryption method in one of claim 5 and 6, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects corresponding optimum number r respectively at least one of counting among r and the s for φ not to be subjected to d at first OptAnd s Opt, and
B) second step by step in, select adjacent value r=r Opt-i and s=s Opt-i, i=0,1 ..., k makes that (kgV (r, s)) relatively is a prime number to d for φ.
8. as the described encryption method in one of claim 5 and 6, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, selects corresponding optimum number r respectively for each of counting among r and the s for φ not to be subjected to d at first OptAnd s Opt, and
B) second step by step in, selective value r=2 1, r OptS=2 1s Opt, 1=0,1 ..., j makes that (kgV (r, s)) relatively is a prime number to d for φ.
9. as the described encryption method in one of claim 5 and 6, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects number r for φ not to be subjected to d at first OptAnd s OptIn at least one,
Second step by step in, select adjacent value r=r Opt-i and s=s Opt-i, i=0,1 ..., k, if make for i=0,1 ..., this value of k exists, then d for φ (kgV (r, s)) relatively is a prime number, and
C) the 3rd step by step, selective value r=2 like this 1r Opt, s=2 1s Opt, 1=0,1 ..., j, if make second step by step in non-selected described value, then (kgV (r, s)) relatively is a prime number to d for φ.
10. as the described encryption method of above-mentioned any one claim, it is characterized in that it comprises the RSA method.
11., it is characterized in that it comprises Lapie's characterization method as the described encryption method of above-mentioned any one claim.
12., it is characterized in that it comprises the Fiat-Shamir recognition methods as the described encryption method of above-mentioned any one claim.
13. an encryption device,
A) have at least one exponentiation device, be used to carry out a calculation procedure that comprises the exponentiation E of mould,
E=x d(mod?p.q)
Wherein have the first prime number factor p, the second prime number factor q, index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, select two natural number r and s, condition is, d for φ (kgV (r, s)) relatively is a prime number, and carries out following calculation procedure with this:
x 1=x(mod?p.r)
x 2=x(mod?q.s)
d_1=d(modφ(p.r))
d_2=d(modφ(q.s))
z 1=x 1 d_1(mod?p.r)
z 2=x 2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
C) calculate number z:z=z according to Chinese remainder theorem by z1 and z2 then 1(mod p.r); Z=z 2(mod q.s);
D) by reduction z mould p.q, calculate the E as a result of exponentiation,
E) check the miscount of checking the previous several z that calculate (thereby also automatically be E) as a result in the step at one,
F) described inspection step comprises following calculating operation:
F1) by means of the euler algorithm of expansion, calculate the possible natural number e of minimum with characteristic e.d=1 (mod kgV (r.s)),
F2) calculated value C=z e(mod kgV (r.s)),
F3) fiducial value x and C mould kgV (r, s), if with this x ≠ C (mod (kgV (r, s)), the then result of the exponentiation E of mould being dropped as mistake.
14. encryption device
A) have at least one exponentiation device, be used to carry out at least one calculation procedure E=x of the exponentiation E that comprises mould d(mod p.q) wherein has the first prime number factor p, the second prime number factor q, and index d and truth of a matter x are with this
B) for carrying out the exponentiation of mould, at interval [1 ..., r-1] and [1 ..., s-1] in select two natural number r and s respectively, and two number b 1And b 2, described b 1And b 2For r and s relatively is prime number, and makes b with this 1And b 2B satisfies condition 1=b 2(mod ggT (and r, s), wherein ggT (r s) represents the highest common factor of r and s,
C) utilize two number b 1And b 2Calculate the x that satisfies following formula according to Chinese remainder theorem 1, x 2:
x 1=x(mod?p), x 1=b1(mod?r)
x 2=x(mod?q), x 2=b 2(mod?s)
And carry out following calculation procedure:
d_1=d(modφ(p))
d_2=d(modφ(q))
z 1=x 1 d_1(mod?p.r)
z 2=x 2 d_2(mod?q.s)
Wherein (φ .) is Euler's function, kgV (r s) is the lowest common multiple of r and s,
D) then according to Chinese remainder theorem by z 1And z 2Calculate number z:z=z 1(mod p.r); Z=z 2(modq.s);
E) by reduction z mould p.q, calculate the E as a result of exponentiation,
F) check the miscount of checking the previous several z that calculate (thereby automatically also be E) as a result in the step at one,
H) described inspection step comprises following calculating operation:
G1) calculate number
C 1=b 1 d_1(mod.r)
C 2=b 1 d-2(mod.s)
D_1 wherein, d_2 was reduced respectively before carrying out with the exponentiation of φ (r) φ (s) to mould,
G2) fiducial value z 1And C 1Mould r and z 2And C 2Mould s is if keep C ≠ z with this 1Mod r, perhaps C 2≠ z 2Mod s, the then result of the exponentiation E of mould being dropped as mistake.
15. encryption device as claimed in claim 14 is characterized in that, described several r and s are odd numbers.
16. any one the described encryption device as among the claim 13-15 is characterized in that several r wherein and s are [0,2 k-1] selects in the scope, wherein 16≤k≤32.
17. any one the described encryption device as among the claim 13-16 is characterized in that, at least one the such selection among wherein said several r and the s makes the binary representation of product p.r or q.s contain preposition number as much as possible.
18. any one the described encryption device as among the claim 13-17 is characterized in that, wherein said two number r and s select like this, make the binary representation of product p.r or q.s contain preposition number as much as possible.
19. as the described encryption device in one of claim 17 and 18, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects corresponding optimum number r respectively at least one of counting among r and the s for φ not to be subjected to d at first OptAnd s Opt, and
B) second step by step in, select adjacent value r=r Opt-i and s=s Opt-i, i=0,1 ..., k makes that (kgV (r, s)) relatively is a prime number to d for φ.
20. as the described encryption device in one of claim 17 and 18, it is characterized in that,
A) step by step, select corresponding optimum number r respectively for each of counting among r and the s at first OptAnd s Opt, be not subjected to d for φ (kgV (r, s)) relatively is the restriction of this condition of prime number, and
B) second step by step in, selective value r=2 1r OptS=2 1s Opt, 1=0,1 ..., j makes that (kgV (r, s)) relatively is a prime number to d for φ.
21. as the described encryption device in one of claim 17 and 18, it is characterized in that,
A) step by step, (kgV (r, s)) relatively is the restriction of this condition of prime number, at first selects number r for φ not to be subjected to d at first OptAnd s OptIn at least one,
B) second step by step in, select adjacent value r=r Opt-i and s=s Opt-i, i=0,1 ..., k, if make for I=0,1 ..., this value of k exists, then d for φ (kgV (r, s)) relatively is a prime number, and
C) the 3rd step by step, selective value r=2 like this 1r Opt, s=2 1s Opt, 1=0,1 ..., j, if make second step by step in non-selected described value, then (kgV (r, s)) relatively is a prime number to d for φ.
22., it is characterized in that it comprises the RSA method as the described encryption device of above-mentioned any one claim.
23., it is characterized in that it comprises Lapie's characterization method as the described encryption device of above-mentioned any one claim.
24., it is characterized in that it comprises the Fiat-Shamir recognition methods as the described encryption device of above-mentioned any one claim.
CN01809690.5A 2000-05-17 2001-05-15 Cryptographic method and device Pending CN1429360A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE10024325A DE10024325B4 (en) 2000-05-17 2000-05-17 Cryptographic method and cryptographic device
DE10024325.8 2000-05-17

Publications (1)

Publication Number Publication Date
CN1429360A true CN1429360A (en) 2003-07-09

Family

ID=7642491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN01809690.5A Pending CN1429360A (en) 2000-05-17 2001-05-15 Cryptographic method and device

Country Status (12)

Country Link
US (1) US7227947B2 (en)
EP (1) EP1290545B1 (en)
JP (1) JP4977300B2 (en)
CN (1) CN1429360A (en)
AT (1) ATE309569T1 (en)
AU (2) AU6596701A (en)
BR (1) BR0110923A (en)
CA (1) CA2409200C (en)
DE (2) DE10024325B4 (en)
MX (1) MXPA02011222A (en)
RU (1) RU2276465C2 (en)
WO (1) WO2001088693A2 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100555213C (en) * 2003-10-14 2009-10-28 松下电器产业株式会社 Data converter
CN1883155B (en) * 2003-11-18 2010-12-22 爱特梅尔卢梭公司 Randomized modular reduction method and hardware therefor
CN104025018A (en) * 2011-10-28 2014-09-03 德国捷德有限公司 Efficient Prime-Number Check
CN104123431A (en) * 2013-04-24 2014-10-29 国民技术股份有限公司 Element modular inversion calculation method and device
CN105892991A (en) * 2015-02-18 2016-08-24 恩智浦有限公司 Modular multiplication using look-up tables

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10162584A1 (en) * 2001-10-17 2003-05-08 Infineon Technologies Ag Method for validating an exponentiation result with the Chinese remainder theorem forms extra modules with two primary numbers for calculating extra values to work out a modular exponentiation to match the product of the values.
DE50204119D1 (en) 2001-10-17 2005-10-06 Infineon Technologies Ag METHOD AND DEVICE FOR OBTAINING A CALCULATION IN A CRYPTOGRAPHIC ALGORITHM
WO2003034268A2 (en) 2001-10-17 2003-04-24 Infineon Technologies Ag Method and device for securing an exponentiation calculation by means of the chinese remainder theorem (crt)
EP1540880B1 (en) * 2002-09-11 2006-03-08 Giesecke & Devrient GmbH Protected cryptographic calculation
US7840806B2 (en) * 2002-10-16 2010-11-23 Enterprise Information Management, Inc. System and method of non-centralized zero knowledge authentication for a computer network
US8239917B2 (en) * 2002-10-16 2012-08-07 Enterprise Information Management, Inc. Systems and methods for enterprise security with collaborative peer to peer architecture
US7597250B2 (en) 2003-11-17 2009-10-06 Dpd Patent Trust Ltd. RFID reader with multiple interfaces
US7762470B2 (en) 2003-11-17 2010-07-27 Dpd Patent Trust Ltd. RFID token with multiple interface controller
US7213766B2 (en) 2003-11-17 2007-05-08 Dpd Patent Trust Ltd Multi-interface compact personal token apparatus and methods of use
JP5291637B2 (en) * 2007-02-27 2013-09-18 トムソン ライセンシング Method and apparatus for generating a compressed RSA modulus
EP2697786B1 (en) * 2011-04-13 2017-10-04 Nokia Technologies Oy Method and apparatus for identity based ticketing
CA2970153C (en) 2014-12-10 2023-06-06 Kyndi, Inc. Apparatus and method for combinatorial hypermap based data representations and operations
US11005654B2 (en) 2019-05-14 2021-05-11 Google Llc Outsourcing exponentiation in a private group

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2737369A1 (en) * 1995-07-26 1997-01-31 Trt Telecom Radio Electr SYSTEM FOR COMMUNICATING ENCRYPTED MESSAGES ACCORDING TO A METHOD OF R.S.A.
GB2318892B (en) * 1996-10-31 2001-07-11 Motorola Ltd Co-processor for performing modular multiplication
US5991415A (en) * 1997-05-12 1999-11-23 Yeda Research And Development Co. Ltd. At The Weizmann Institute Of Science Method and apparatus for protecting public key schemes from timing and fault attacks

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100555213C (en) * 2003-10-14 2009-10-28 松下电器产业株式会社 Data converter
CN1883155B (en) * 2003-11-18 2010-12-22 爱特梅尔卢梭公司 Randomized modular reduction method and hardware therefor
CN104025018A (en) * 2011-10-28 2014-09-03 德国捷德有限公司 Efficient Prime-Number Check
CN104025018B (en) * 2011-10-28 2017-12-01 捷德移动安全有限责任公司 Effectively examine prime number
CN104123431A (en) * 2013-04-24 2014-10-29 国民技术股份有限公司 Element modular inversion calculation method and device
CN104123431B (en) * 2013-04-24 2018-09-14 国民技术股份有限公司 A kind of mould of element is against computational methods and device
CN105892991A (en) * 2015-02-18 2016-08-24 恩智浦有限公司 Modular multiplication using look-up tables

Also Published As

Publication number Publication date
WO2001088693A2 (en) 2001-11-22
JP4977300B2 (en) 2012-07-18
JP2003533752A (en) 2003-11-11
DE10024325A1 (en) 2001-12-06
MXPA02011222A (en) 2003-06-06
BR0110923A (en) 2003-03-11
AU2001265967B2 (en) 2005-11-24
ATE309569T1 (en) 2005-11-15
EP1290545A2 (en) 2003-03-12
US20040028221A1 (en) 2004-02-12
CA2409200A1 (en) 2002-11-18
AU6596701A (en) 2001-11-26
EP1290545B1 (en) 2005-11-09
WO2001088693A3 (en) 2002-02-28
DE50108011D1 (en) 2005-12-15
US7227947B2 (en) 2007-06-05
DE10024325B4 (en) 2005-12-15
CA2409200C (en) 2010-02-09
RU2276465C2 (en) 2006-05-10

Similar Documents

Publication Publication Date Title
CN1429360A (en) Cryptographic method and device
US9942039B1 (en) Applying modular reductions in cryptographic protocols
Overbeck A new structural attack for GPT and variants
CN1425231A (en) Cryptography method on elliptic curves
CN1648967A (en) Cryptographic apparatus, cryptographic method, and storage medium thereof
Aciiçmez et al. Improving Brumley and Boneh timing attack on unprotected SSL implementations
CN1218531C (en) Countermeasure method in electric componnet implementing elliptical curve type public key cryptography algorithm
CN1554047A (en) Device and method for calculating the result of a modular exponentiation
Abdeldaym et al. Modified RSA algorithm using two public key and Chinese remainder theorem
Li et al. Design and implementation of an improved RSA algorithm
CN1592190A (en) Hardware cryptographic engine and encryption method
CN1348646A (en) Method and device for effective key length control
CN111385092B (en) Cipher device using information blinding and its cipher processing method
CN1314223C (en) Cryptography private key storage and recovery method and apparatus
CN1483260A (en) Method and device for detecting a key pair and for generating rsa keys
CN1411644A (en) Countermeasure method in electronic component which uses RSA-type public key cryptographic algorithm
CN1630999A (en) Method for countermeasure in an electronic component using a secret key algorithm
CN1833220A (en) Methods and apparatus for extracting integer remainders
CN111368317B (en) Computer data encryption system and method
CN1568457A (en) Secure method for performing a modular exponentiation operation
CN1270472C (en) Device and method for generating electronic keys from mutual prime numbers
Heiman A note on discrete logarithms with special structure
WO2007129197A1 (en) Cryptographic apparatus and process
CN1392472A (en) Montgomery analog multiplication algorithm for VLSI and VLSI structure of intelligenjt card analog multiplier
CN1397035A (en) Modular exponential algorithm in electronic component using public key encryption algorithm

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication